GitHub

[Security] Authenticated backup import and MCP stdio configuration allow host Python zipapp execution in AstrBot #8860

A dashboard user who can import backups and add MCP stdio servers can execute arbitrary Python code as the AstrBot process user on the host. The reachable impact includes disclosure of application ...